| Summary: | icu new security issue CVE-2017-15422 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | brtians1, lewyssmith, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK mga6-64-ok | ||
| Source RPM: | icu-58.2-3.1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-12-07 14:57:54 CET
David Walser
2017-12-07 14:58:00 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to the registered icu maintainer. CC:
(none) =>
marja11 Upstream commit to fix this: https://ssl.icu-project.org/trac/changeset/40654 Added in Chromium source as: chromium-63.0.3239.108/third_party/icu/patches/persian_cal.patch Advisory: ======================== Updated icu packages fix security vulnerability: Integer overflow in ICU in the Persian calendar (CVE-2017-15422). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15422 https://ssl.icu-project.org/trac/changeset/40654 https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html ======================== Updated packages in core/updates_testing: ======================== icu-53.1-12.9.mga5 icu53-data-53.1-12.9.mga5 icu-doc-53.1-12.9.mga5 libicu53-53.1-12.9.mga5 libicu-devel-53.1-12.9.mga5 icu-58.2-3.2.mga6 icu58-data-58.2-3.2.mga6 icu-doc-58.2-3.2.mga6 libicu58-58.2-3.2.mga6 libicu-devel-58.2-3.2.mga6 from SRPMS: icu-53.1-12.9.mga5.src.rpm icu-58.2-3.2.mga6.src.rpm Assignee:
shlomif =>
qa-bugs Testing M5/64 The CVE leads nowhere useful. Test reference: https://bugs.mageia.org/show_bug.cgi?id=21929#c5 Updated to: icu-53.1-12.9.mga5 icu53-data-53.1-12.9.mga5 lib64icu-devel-53.1-12.9.mga5 lib64icu53-53.1-12.9.mga5 Of the many programs provided by icu, none have man pages, but -h provides usage info - not always saying what the command does, including for 'uconv' which seems to be the main one! Important options: -l, --list list all available encodings -f, --from-code code set the original encoding -t, --to-code code set the destination encoding -o, --output file write output to file I created a pure text file, and another containing French & Welsh accented characters. $ icuinfo <icuSystemParams type="icu4c"> ... </icuSystemParams> ICU Initialization returned: U_ZERO_ERROR Plugin file is: /usr/lib64/icu/icuplugins53.txt $ uconv -l shows a very long list of code lines which often contain many codenames; are these synonyms for the first cited? It seems so, because $ uconv --list-code <one of the synonyms> returns the first codename in the line. $ uconv --default-code UTF-8 Pure unaccented text -> SJIS conversion: $ uconv -f UTF-8 -t SJIS -o sjis.txt simpletext.txt $ cmp simpletext.txt sjis.txt Identical files. Convert back to ISO: $ uconv -f SJIS -t ISO-8859-1 -o iso.txt sjis.txt $ cmp simpletext.txt iso.txt Identical files, i.e. orignal-converted-reconverted. Accented characters: $ cat accents.txt é è ç à ù ê ô û ï î ŵ ŷ $ uconv -f UTF-8 -t ISO-8859-1 -o iso.txt accents.txt Conversion from Unicode to codepage failed at input byte position 30. Unicode: 0175 Error: Invalid character found Try again. $ uconv -f ISO-8859-1 -t UTF-8 -o iso.txt accents.txt $ cat iso.txt é è ç à ù ê ô û ï î ŵ Å· $ uconv -f ISO-8859-1 -t SJIS -o sjis.txt accents.txt Conversion from Unicode to codepage failed at input byte position 0. Unicode: 00c3 Error: Invalid character found I imagine this means that the output code page did not have é. ISO-> UTF & back: $ uconv -f ISO-8859-1 -t UTF-8 -o iso.txt accents.txt $ cat iso.txt é è ç à ù ê ô û ï î ŵ Å· $ uconv -f UTF-8 -t ISO-8859-1 -o back.txt iso.txt $ cat back.txt é è ç à ù ê ô û ï î ŵ ŷ $ cmp accents.txt back.txt [Identical] Simple text to/from different codes: $ uconv -f UTF-8 -t IBM-1047 -o ibm.txt simpletext.txt $ file ibm.txt ibm.txt: Non-ISO extended-ASCII text, with NEL line terminators $ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt $ file usa.txt usa.txt: ASCII text $ cmp simpletext.txt usa.txt [identical] Play with accents: $ uconv -f ISO-8859-1 -t IBM-1047 -o ibm.txt accents.txt $ uconv -f IBM-1047 -t us-ascii -o usa.txt ibm.txt Conversion from Unicode to codepage failed at input byte position 0. Unicode: 00c3 Error: Invalid character found Try again $ uconv -f IBM-1047 -t UTF-8 -o utf.txt ibm.txt Enough of this, my head spins. OKing. Keywords:
(none) =>
advisory installed updates and ran some tests of uconv works as designed uconv -f UTF-8 -t UTF32_PlatformEndian -o b1.txt brian.txt created a 64 byte file from a 16 byte file uconv -f UTF32_PlatformEndian -t UTF-8 -o b2.txt b1.txt created a 16 byte file from 64 byte file and it views properly Working as designed from this simple test. $ uname -a Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Whiteboard:
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK mga6-64-ok Thank you Brian for the Mageia 6 OK. Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0484.html Status:
NEW =>
RESOLVED |